Back in March 2018, the Canadian Government quietly announced changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity.
The deadline for these changes? November 1st, 2018.
So – what does this mean for you?
Among a few other things, the main aspects of these changes are surrounding reporting. The amendments impose a new set of obligations onto organizations to inform individuals if their personal information has been lost, stolen or inappropriately accessed, and they are placed at risk of harm. Specifically, the Act states that:
- data breaches that pose a real risk of significant harm will need to be reported to the Privacy Commissioner, and affected individuals will need to be notified;
- an organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm (e.g. credit card companies, financial institutions or credit reporting agencies, if their assistance is necessary for contacting individuals or assisting with mitigating harm);
- records of all data breaches experienced by an organization will need to be maintained and provided to the Privacy Commissioner upon request;
- deliberately failing to report a data breach, or deliberately failing to notify an individual as required will be separate offenses subject to fines of up to $100,000. In the case of notification to individuals, it will be a separate offense for every individual left without notification of the breach; and
- deliberately failing to keep, or destroying data breach records will also be an offense, subject to a fine of up to $100,000.
Does your business’s data fall under PIPEDA Regulations? Are you prepared for the changes? Let us know in the comments below!